MK Data Services

Research Universities & Colleges: Controlling Risk & Exposure in a Post 9/11 World

Introduction

The world post 9/11 is undeniably a very different place for research universities and colleges. The level of risk and potential exposure that research universities and colleges face has increased dramatically, and the penalties associated with noncompliance range from mild to severe. In November of 2001 the Bush Administration reaffirmed that National Security Decision Directive (NSDD) 189 remains in effect. This directive establishes national policy for controlling the flow of science, technolgy, and engineering information produced in federally funded fundamental research at colleges, universities, and laboratories. Fundamental research is defined as follows:

"Fundamental research means basic and applied research in science and engineering, the results of which ordinarily are published and shared broadly within the scientific community, as distinguished from proprietary research and from industrial development, design, production, and product utilization, the results of which ordinarily are restricted for proprietary or national security reasons."

The tragic events of 9/11 only served to heighten security concerns and as there is a renewed interest in ensuring that the existing laws and regulations are enforced as strictly as possible. One of the challenges that research universities and colleges face today is understanding the legal basis for export controls in order to ensure that they are in compliance. The Case for Compliance Several recent high-profile cases have highlighted the need for universities and colleges engaged in research related activities to tighten their compliance controls and establish safeguards for the institutions and its staff members. Among the recent cases that highlight the need for tighter controls is the case of John Reece Roth, 71, a prominent plasma physicist who was sentenced to four years in prison for 18 counts of conspiracy, wire fraud and violations of the Arms Export Control Act, after he allowed a Chinese graduate student to see sensitive information on unmanned aerial vehicles (UAVs), also known as drones.

Roth, a retired professor at the University of Tennessee, helped found the university spin-off, Atmospheric Glow Technologies in 2000. The company won $10 million dollars in government grants to develop a radio-frequency technology to create ionized gas, or plasma, for use in a wide variety of applications, including sterilizing medical devices. In 2004, the company received a U.S. Air Force contract to develop a plasma actuator that could help reduce drag on the wings of drones, such as the ones the military uses. Under the contract, Roth was prohibited from sharing sensitive data with foreign nationals. According to the information released at trial, in 2006, Roth took a laptop containing sensitive plans with him on a lecture tour in China without gaining the proper export controls. Roth also allowed graduate students Xin Dai of China and Sirous Nourgostar of Iran to work on the project, both students are foreign nationals, which violated his contract.

Cases such as this are increasingly being prosecuted and the regulatory environment is both stiffening and becoming more ambiguous. Understanding what constitutes compliance, how to become compliant and to reduce risk is paramount for any university or college engaged in research activities.

Understanding Export Controls

As you can imagine the laws, rules and regulations regarding US export controls can be daunting and wading through all of the applicable laws, rules and regulations can be a complex and time-consuming undertaking. Many research universities and colleges today employ compliance experts and have compliance officers in addition to access to a variety of services and solutions that help the institution remain in compliance with the applicable laws, rules and regulations regarding the export of information or goods deemed to important to our national interests. For the layman it is important to understand the basis for export controls, which can be found in the following:

• The Export Administration Act of 1969
• Export Administration Regulations (EAR)
• 15 CFR §§730-774
• Arms Export Control Act of 1976
• International Traffic in Arms Regulations (ITAR)
• 22 CFR §§120-130

Digging into either the EAA, EAR, AECA or ITAR to fully understand the basis for export controls would take a significant investment in time, which is why we have outlined the following primer on export controls.

The Export Administration Act

The Export Administration Act (EAA) is the statutory authority for the Export Administration Regulations (EAR), which are administered by the Bureau of Industry and Security (BIS)[See Reference 1] located in the Department of Commerce.  These regulations establish the framework for regulating exports of dual-use, potentially sensitive commodities, software, computers, and technology.

Exports are restricted by item, country, and recipient entity. The EAA, which was written and amended during the Cold War, focuses on the regulation of exports of those civilian goods and technology that have military applications (dual-use items).  Export controls under the EAA were based on strategic relationships, threats to U.S. national security, international business practices, and commercial technologies many of which have changed dramatically in the last 20 years.

What is important to understand is that the EAA has consistently evolved and become increasingly complex particularly post 9/11. Among the changes to the EEA include legislation passed by the House and Senate and signed by the President on November 13, 2000 (P.L. 106-508) extended the EAA of 1979 until August 20, 2001, temporarily removing the need to operate the export control system under International Emergency Economic Powers Act (IEEPA) powers. Since then, export control authority has again been operating under IEEPA provisions pursuant to Executive Order 13222, issued August 17, 2001. The plethora of changes and provisions to the EAA are mind numbing, the important takeaway is that research universities and colleges need to be aware of the potential implications of non-compliance.

Under EAA the penalties associated with export control violations range the gamut from mild to severe. Criminal violations of the export controls can include fines up to $1M, or 5X the value of export, whichever larger, per violation and up to 10 years in federal prison. The penalties for civil violations of export controls are also significant and can include fines up to $120K per violation and the loss of export privileges. The reality is that new legislation is always being proposed to revise the penalty structure and increase penalties for export control violations. There are no anticipated changes in the regulatory environment that will change the nature of EAA compliance for research universities and colleges, compliance is not only mandatory it is essential to maintaining the institutions ability to engage in federally funded research activities.

The Arms Export Control Act & ITAR

Like EAA, the Arms Export Control Act of 1976 is complex and offers a variety of challenges for research universities and colleges regardless of whether they are conducting federally funded research for the United States Department of Defense (DOD) or not. The International Traffic in Arms Regulations (ITAR) implemented provisions of the AECC, described in Title 22 (Foreign Relations), Chapter I (Department of State), Subchapter M of the Code of Federal Regulations. Delving into the AEC or ITAR in depth would take a great deal of time, what is important to understand is that the goal of ITAR is to safeguard US national security and to further US foreign policy objectives, and is enforced by the United States Department of State. As you may have guessed by now, AECA and ITAR are complex and unfortunately somewhat ambiguous, which creates challenges for research universities and colleges.

Among the ambiguities are the definition of “defense services,” and its nexus to the sharing of data already in the public domain, whether information is in the public domain only if it has already been published or if it is in the public domain if there is an intent to publish, and ITAR’s limitation of the definition of fundamental research such that it only covers work conducted at a university. There are important differences in some key definitions between ITAR and the Export Administration Regulations, which are important to understand including the following:

• Under EAR, research at federally funded research and development centers and research conducted by scientists or engineers working for a business entity can be considered fundamental research if the other conditions for fundamental research are met. With that said, ITAR refers to research conducted only at “accredited institutions of higher learning.”
  
• The language of ITAR indicates that the fundamental research exclusion applies to information “which is published” and is generally accessible or available to the public. However, EAR exempts information that is publicly available, that is already published or will be published, or that arises during or results from fundamental research.
  
• EAR explains that no license is needed for classroom or laboratory teaching of foreign nationals in U.S. universities if the information is in the public domain. ITAR handles teaching by saying that “information concerning general scientific, mathematical, or engineering principles commonly taught in schools, colleges, and universities, or information in the public domain” is excluded from the kinds of technical data that are subject to controls.
  
• An EAR exclusion is not lost when a university accepts a temporary delay of publication for prepublication review for proprietary or patent-protection purposes, but ITAR does not contain such language, and so whether this safe haven is available under ITAR is ambiguous.
  
• An EAR exclusion is not lost in a federally funded project when a university accepts specific national-security controls if controls are not violated in exporting the controlled information, but under ITAR the exclusion is lost in a federally funded project if such controls are accepted.
  
• A supplement to EAR provides extensive explanatory questions and answers regarding what is not subject to EAR in the context of university and research laboratory activities. There is no such elaboration in ITAR documents. 
  Conclusions

As you can quickly ascertain the laws, rules and regulations governing the export controls are complex and can be challenging to understand. Export controls are only part of the compliance challenges facing research universities and colleges today. Post 9/11 US based universities and colleges have to remain in compliance with the USA Patriot Act and other rules and regulations governed by the United States Department of Homeland Security. With that said, implementing policies, procedures and processes to protect the institution does not have to be complicated and or expensive. MK Data Services offers a variety of cost effective services and solutions that enable research universities and colleges to screen their staff, students, vendors and partners to determine quickly if a potential risk exists that requires further examination.

Specifically, MK Data Services provides a web-based denied parties screening solution, bulk screening services, automated batch screening services and a web-services based solution that can be integrated with the university or colleges existing legacy information technology solutions to provide a comprehensive compliance solution for the institution. MK Data Services provides compliance services and solutions to some of the nations premier research universities and colleges, to learn more about how MK Data Services can help your institution maintain compliance please contact us today.

References

The Export Administration Act of 1969, United States Government Printing Office, US Department of Commerce, Bureau of Industry and Security The Arms Export Control Act, US Department of State, Directorate of Trade Controls, http://www.state.gov 

Tennessee physicist sentenced to 4 years for sharing drone plans with foreign students, 2009, Brendan Borrell, 60-Second Science Blog, http://www.scientificAmerican.com

CSR Report for Congress, The Export Administration Act: Evolution, Provisions, and Debate, 2008,Ian F. Fergusson, Specialist in International Trade and Finance, Foreign Affairs, Defense, and Trade Division, Congressional Research Service 

Space Science and the International Traffic in Arms Regulations: Summary of a Workshop, 2008, Margaret G. Finarelli, Rapporteur, Joseph K. Alexander, Rapporteur, National Research Council

--------------------------------------------------------------------------------

Download the White Paper

--------------------------------------------------------------------------------

[1] This agency was known as the Bureau of Export Administration prior to April 2002.